Moving the industry forward: Gula Tech Adventures and its model of a cybersecurity impact hub
A deep dive into the work of Gula Tech Adventures, a unique player in the cybersecurity ecosystem
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Being able to categorize things into groups helps us observe patterns, find trends, and build mental models of the world we live in. This is the case in a general sense as well as in the context of cybersecurity. It is this ability to group similar observations that made it possible for me to talk about the reasons there are so many security vendors, data gravity and its impact on the future of security, the move from promise-based to evidence-based security, and other trends. Every entity - be it a VC firm, a product company, a service provider, or an investment bank - can be described and analyzed both as a stand-alone component, and a building block of the ecosystem. This is exactly what I did with corporate venture funds, angel investing, channel partners, industry analyst firms, and incubators and accelerators in cybersecurity, to name a few. Sometimes, however, it is not as simple.
Gula Tech Adventures is a prime example of an ecosystem player that is more than one thing at once. It invests in startups, but it isn’t a traditional VC firm: there are no LPs and no 10-year funds. It is funded by Ron and Cyndi Gula, which in some sense makes it similar to a family office, but it isn’t a family office either: Gula Tech Adventures is much more sophisticated and employs its deep and hard-earned technological and business subject matter expertise as an active cybersecurity investor. Aside from funding security innovation, it also supports nonprofits working to advance the industry, engages and supports policymakers that are tackling complex issues of security, and raises awareness and educates about “data care” (I will discuss it in detail later) and other cyber issues, to name a few. All this, and several other characteristics, make Gula Tech Adventures a truly unique player in the cybersecurity ecosystem, hence why it deserves a dedicated piece.
Solving the industry problems holistically
One of the main challenges that prevent the industry from being able to mature at the right pace is the fact that there are many components to this maturity:
Vendors should be able to deliver their solutions in such a way that enables security practitioners to try before they buy, instead of having to spend hours sitting through mandatory demos and meeting minimum spend requirements
Investors need to be able to understand and evaluate cybersecurity solutions so that instead of funding hundreds of “me too” tools, they can support those solving real problems for actual customers in ways that are scalable and future-proof (I have previously discussed why VCs with little understanding of security are often struggling to make good decisions)
Cybersecurity as an industry has to overcome the legacy of social challenges it has been facing such as those around diversity and accessibility
People need to start understanding the importance of handling their data securely and developing the right habits such as using MFA, password managers, double-checking suspicious messages, etc.
The government needs to establish the right policies that put systems and processes in place to safeguard critical infrastructure and increase the level of cybersecurity maturity within the public sector, especially at the county and the state levels
For us to move the industry forward, we need to address all of these (and many more) areas; skipping just one will leave a large gap in the overall picture. Most of the ecosystem players - think tanks, investors, professional groups, non-profits, and the like - lack the resources and the connections needed to tackle more than one of these challenges. That is understandable, but unless forces in different areas share the same vision and mindset, it can lead to misaligned efforts.
Gula Tech serves as an impact hub, tackling the industry problems holistically
Origins and the broad mandate of the Gula Tech Adventures
Ron and Cyndi Gula, the founders of Gula Tech Adventures, have accumulated decades of experience as founders and operators of successful cybersecurity companies. The origins of the Gula Tech Adventures go back to Ron’s and Cyndi’s time at Tenable; at the end of their tenure, they made a few investments, some of which didn’t go great, while others performed amazingly well. It was then that the family decided to pursue achieving impact in the industry as their main area of focus, and in 2017, Gula Tech Adventures was born: as an early-stage investor, and a player in the broader startup ecosystem.
When one visits the Gula Tech Adventures website, it is easy to assume that Gula Tech is simply one of the cybersecurity-focused venture firms (in fact, that is also how I've categorized it in my original piece about VCs investing in security). That isn’t the case. What I think is the most interesting about Gula Tech’s model is its focus on several components of the ecosystem: startups (via the investment arm), government (via engagement with policymakers), and society in a broader sense (via advocacy and collaboration with nonprofits). While I have initially deemed it to be a VC firm, and that’s how it looks from the outside, I would now categorize Gula Tech as an impact hub.
Investing in cybersecurity startups
Gula Tech Adventures is the investment arm of the Gulas’ impact hub. The firm typically invests in cybersecurity startups at seed and Series A stages, although it also does bridge rounds, convertible notes, some B rounds, and more. In the past, Gula Tech also participated as a limited partner (investor) in some other cybersecurity-focused VC funds.
The reason for this kind of flexibility is that Gula Tech Adventures - the approximately $150M investment fund - is fully funded by Ron and Cyndi Gula. This is an important factor that makes the firm a rather unique player in cybersecurity-focused VC space, and one that has several consequences:
Since there is no external capital, it means there is no LP (limited partners - investors in a typical VC fund) council and no external influence on investment decisions. Importantly, this means that the Gulas are able to invest in startups that may have an outstanding ROI, but – unlike traditional VCs – can also choose to invest in startups that are pushing forward critical technological developments and products, but may not be as profitable for any number of reasons.
There is no need for the firm to raise capital from institutional investors and high-net-worth individuals every for-to-five years (a complex and time-consuming process for most VCs)
There is no pressure to exit all the investments within 10 years (a standard life of the VC fund)
The Gula Tech model has a critical impact on enabling innovation. Venture capital enables innovation and encourages risk-taking; it brought to us many world-defining companies such as Google, Amazon, and Microsoft. It is because of VC funding that we got cybersecurity players such as CrowdStrike and Zscaler, to name a few. There is, however, a dark side of venture capital, and it has to do with the way the traditional VC model works: all investments must be exited (liquidated) within 10 years - either by having the portfolio company IPO, get acquired, or less ideally - by selling the investment to another VC at a discount on the secondary market. As an industry, we need more long-term thinking, and that is only possible when there isn’t pressure to produce exits in 5 to 8 years from the time of the investment. To make it possible, ideally, we would need to have early-stage investors with longer time horizons (cybersecurity is a deep tech domain, and it can take a long time to commercialize security innovation). It’s important to emphasize that Gula Tech Adventures is an investor, and it still needs to produce financial returns. However, the fact that there is no mandate to get these returns in under 10 years, means that the firm can place longer-term bets and ultimately buy some time for early-stage startups.
Several other aspects make Gula Tech Adventures interesting as an investor:
Its team is pretty small and consists of senior professionals that employ their relevant industry expertise, so it can make highly-nuanced and informed decisions quickly. The entire team then actively engages and supports their portfolio companies in various ways (coaching of founders and CEOs, product testing, strategy development, go-to-market support, as well as introductions to potential partners and customers).
Ron Gula personally deploys most of the products the company invests in, and is very hands-on when it comes to due diligence and post-investment support.
The firm believes in “not leaving wounded on the battlefield”, meaning that even if their portfolio company is struggling, Ron and the team will make an effort to get it acquired, help the founders to find jobs in bigger companies, and the like. The idea is to support entrepreneurs in recovering from failure so that they can learn and start new companies again.
The investment decisions are made by analyzing the three components: the problem, the fundamentals of the deal (financials), and the team. For some VCs, it is enough to see that one of the three is strong enough to say “yes” to funding the company; the Gula team is looking at all three equally and looking for ways it can actively support the potential investment on its way forward.
Gula Tech Adventures sees investing in early-stage startups as a journey, and its model makes it more likely that they are going to place long-term bets. Its active participation in the industry has earned the recognition of PitchBook as one of the most active investors.
Gula Tech Foundation: a force for good in cybersecurity
Gula Tech Foundation is the philanthropic arm of what I define as Gula Tech’s impact hub. The foundation, also funded entirely by Ron and Cyndi Gula, is a tool to finance and create a push for broad social changes in the industry, anything from getting more minorities into cybersecurity to educating the general public about the importance of using password managers.
Gula Tech Foundation offers two competitive grants per year; this year it is on its fifth grant. The focus of these grants is to not simply provide money but to raise awareness and educate about important issues. A critical component is also to enable nonprofits to use funding in such a way that helps them expand their capacity to provide effective programs and receive greater engagement and financial support from their local state or county, or even federal governments. This seems to have been working well; a case in point is NPower, an organization that won a $300k competitive grant from the Gula Tech Foundation and was later invited to participate in the White House’s National Cyber Workforce and Education Summit.
One of the important lessons from offering grants is that support should be very specific and as close to the people who need it as possible. Saying “I want to increase diversity” is not enough; to help children, one must talk to children, and to help seniors, one should hear from seniors about their actual needs. It doesn’t work to have people who do not understand the problems firsthand try solving them.
While it is not uncommon for VC firms to donate a portion of their carry (profits) to charity, it is very unusual to have a foundation that runs its own grants process regardless of the financial performance of the investment side. This is yet another factor that makes what Gula Tech does quite unique.
The Gula Tech Foundation’s Spring 2023 Grant focused on "Expanding Opportunities in Cyber for the Neurodivergent." This grant will support organizations that provide practical, hands-on or immersive cyber experiences and/or employment support that aid in the training and development of talented neurodivergent individuals – which includes autism and ADHD, among others - to position them for and accelerate careers in cybersecurity and information technology (IT). The Gula Tech Foundation will award a total of $1 Million; the first place, second place, and third place winners will receive a minimum of $250k, $200k, and $150k, respectively with the remaining $400k awarded to runner ups. The winners of this competitive grant will be announced at the 2023 RSA Conference. Applications for nonprofit organizations will be open from January 18, 2023 to February 18, 2023. You can learn more & apply for the grant here.
Championing awareness and making security accessible
We have witnessed many cases that make it clear: unless people can improve their awareness of cybersecurity and take steps to strengthen their security posture and develop good habits, any measures security teams implement will continue to fail. While this fact is no surprise to anyone working in the industry, the insight that follows might be.
Ron and Cyndi believe that one of the obstacles that keep people from grasping the importance of cybersecurity is the way we talk about it. The word “cybersecurity” itself has too many aspects and flavors and depending on who is using it and in what context, it may mean different things. The Gula Tech team wants to see the word “cybersecurity” replaced with “data care” which would, in their opinion, make it a lot easier to communicate the personal responsibility every individual has to protect their data, and discuss with boards the risks to the company data. The word “security” in some cases can actually be a turn-off to minorities - think about policing, security monitoring, and the like which have negative connotations with certain communities. “Data care” is neutral and easily understood by anyone.
The concept of data care is simple: we need to get people and organizations to take responsibility for the care of their data since data is what we want to have confidentiality, integrity, and availability of.
Data care is similar to healthcare. Whenever someone is in pain, they should go see a doctor. We know that there are many specialists - cardiologists, immunologists, dermatologists, endocrinologists, and the like, but the average person would see a family doctor who would assess the problem and send them to the right care professional. Most importantly, we understand that while doctors are there to help when we are sick, it is our responsibility to take care of our diet, sleep, exercise, and other aspects that impact our well-being.
What happens often in cybersecurity is that we are trying to make everyone a brain surgeon, or their cybersecurity equivalent - a security engineer, expecting an average person to become deeply proficient in security. That is, obviously, unrealistic, and instead of expecting that in five years, we can turn all kids and adults into a Ron Gula or a Kevin Mandia, we need to teach them to take care of their own data and make security a lot more welcoming and inclusive. To do that without dumbing down its importance and the measures people need to take, introducing terms like “data care” can make a difference.
Ron and Cyndi provide a great overview of data care, how it would work, and the impact it would make, on the foundation’s website.
Not only is data care a broad message about the future of security that Gula Tech Foundation is actively promoting, but it is also one of the important areas of the foundation’s grants.
Advocacy and working with policymakers
Another factor that makes Gula Tech different from other investors is its work with public servants in Washington DC.
The Gula Tech team sees advocacy and working with policymakers as one of the ways to shape the future of cybersecurity. Because of their ties with the industry, Ron and the team often get invites to public events, closed-door sessions, and briefings where cyber-focused policies are discussed. The process of informing and influencing policy decisions is very unstructured. The government is a large machine, and all the interactions, conversations, and questions following the talks and presentations add up and help shape the direction in which the industry is moving.
Closing thoughts
The official website of the firm states that “Gula Tech Adventures invests in companies and nonprofits that defend the nation’s cyberspace”. I think this succinct summary undersells the breadth and depth of the areas the company covers.
Many great VC firms are operating in the industry, and each comes with its own perspective, investment thesis, and angle it takes when looking at security. VCs identify and support promising startups so that they can generate financial returns; that is, after all, what the venture model is all about. However, what VC firms don’t do is educate the public, help shape public policy, and support organizations championing social changes. The Gula Tech impact hub does all of that, recognizing that to truly shape the direction of the industry, one must affect many components that impact its trajectory and its speed of change.
The reason I decided to write this unusual interview-informed piece is simple. I think what Gula Tech Adventures does, and the way it does it is the kind of model we need in the industry. We need long-term thinking, we need investors who advocate for products that practitioners can try without having to attend ten demos (it’s very much aligned with my thoughts about PLG in cybersecurity), and we need industry practitioners who understand security to identify the next generation of companies.
We need industry veterans to help build the next generation of cybersecurity startups.
Describing the Gula model is hard: it’s almost like a family office, a lot like a VC, in some aspects like an educational effort, and a part of it is a charity. But, it doesn’t conform to any of these definitions, and it’s not trying to invent a new one - just doing its own thing and looking for effective ways to make a difference and support others who are looking to make a difference on these critical issues. While today the Gula Tech Adventures model is, according to my observation, one-of-a-kind, I am hopeful that we can see more of it (or its variations) in the years to come.
Let me be clear: this is not an ode, and I do not by any means think that Ron, Cyndi, and the team alone will save the industry. But, this is the kind of thinking we need: focused on impact over activity, long-term over short-term, and creation over criticism. And, I think this is the approach worth spreading the word about.
Gratitude
A big thanks to Ron Gula and Rick Olesek of Gula Tech Adventures for sharing their insights and ideas about the industry, as well as for talking about the nuances of their operating model. This piece is written after an interview-like chat with Ron and Rick. All opinions, reflections, and conclusions are my own.